mirror of
https://github.com/github/codeql.git
synced 2026-06-19 03:41:07 +02:00
ce9e61dbfd
ASP.NET Core Razor Page handler method parameters (OnGet, OnPost, etc.) were not modeled as remote flow sources, causing security queries like SQL injection to miss vulnerabilities in PageModel subclasses. This adds AspNetCorePageHandlerMethodParameter, analogous to the existing AspNetCoreActionMethodParameter for MVC controllers, using the existing PageModelClass.getAHandlerMethod() from Razor.qll. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
24 lines
1.1 KiB
Plaintext
24 lines
1.1 KiB
Plaintext
remoteFlowSourceMembers
|
|
| AspRemoteFlowSource.cs:10:23:10:31 | RequestId |
|
|
| AspRemoteFlowSource.cs:11:23:11:36 | RequestIdField |
|
|
| AspRemoteFlowSource.cs:28:23:28:29 | Tainted |
|
|
remoteFlowSources
|
|
| AspRemoteFlowSource.cs:20:42:20:50 | viewModel |
|
|
| AspRemoteFlowSource.cs:35:42:35:46 | param |
|
|
| AspRemoteFlowSource.cs:43:58:43:63 | newUrl |
|
|
| AspRemoteFlowSource.cs:44:61:44:65 | myApi |
|
|
| AspRemoteFlowSource.cs:44:75:44:79 | myUrl |
|
|
| AspRemoteFlowSource.cs:46:46:46:56 | lambdaParam |
|
|
| AspRemoteFlowSource.cs:52:65:52:76 | mapPostParam |
|
|
| AspRemoteFlowSource.cs:53:63:53:73 | mapPutParam |
|
|
| AspRemoteFlowSource.cs:54:69:54:82 | mapDeleteParam |
|
|
| AspRemoteFlowSource.cs:56:41:56:44 | item |
|
|
| AspRemoteFlowSource.cs:64:43:64:47 | param |
|
|
| AspRemoteFlowSource.cs:71:34:71:35 | id |
|
|
| AspRemoteFlowSource.cs:73:35:73:41 | command |
|
|
| AspRemoteFlowSource.cs:73:48:73:52 | count |
|
|
| AspRemoteFlowSource.cs:75:40:75:43 | data |
|
|
| AspRemoteFlowSource.cs:77:34:77:38 | value |
|
|
| AspRemoteFlowSource.cs:79:37:79:42 | itemId |
|
|
| AspRemoteFlowSource.cs:92:35:92:46 | derivedParam |
|